Jira (PUP-11131) Puppet type 'user' does not honor 'purge_ssh_keys: false'

2 views
Skip to first unread message

Christoph Bihler (Jira)

unread,
Jun 29, 2021, 10:02:03 AM6/29/21
to puppe...@googlegroups.com
Christoph Bihler created an issue
 
Puppet / Bug PUP-11131
Puppet type 'user' does not honor 'purge_ssh_keys: false'
Issue Type: Bug Bug
Affects Versions: PUP 6.23.0
Assignee: Unassigned
Components: Types and Providers
Created: 2021/06/29 7:01 AM
Priority: Normal Normal
Reporter: Christoph Bihler

It seems that the type user does not honor setting purge_ssh_keys => false correctly.

puppet language:

user { "myuser":
 
  ensure => present,
 
  [...]
 
  purge_ssh_keys => false,
 
}

leads to the following warning:

/Stage[main]/Mymodule/Mymodule::Mydefinedtype[myuser]/User[myuser] (warning): Ssh_authorized_key type is not available. Cannot purge SSH keys.

Diving into the code, this seems logical: https://github.com/puppetlabs/puppet/blob/main/lib/puppet/type/user.rb#L698

self[:purge_ssh_keys] may take values :true, :false and ["string1", "string2"], but

irb(main):001:0> foo = :false
 
irb(main):002:0> foo.empty?
 
=> false
 
irb(main):003:1* if !foo.empty?
 
irb(main):004:1*   puts "something wrong here"
 
irb(main):005:0> end
 
something wrong here
 
=> nil

I'd recommend the following patch to fix this:

--- /opt/puppetlabs/puppet/lib64/ruby/vendor_ruby/puppet/type/user.rb	2021-06-29 14:56:58.756944173 +0200
 
+++ /tmp/user.rb	2021-06-29 14:56:35.920004027 +0200
 
@@ -695,7 +695,7 @@
 
     end
 
 
     def generate
 
-      if !self[:purge_ssh_keys].empty?
 
+      if !self[:purge_ssh_keys].empty? && !(self[:purge_ssh_keys] == :false)
 
         return [] if self[:ensure] == :present && !provider.exists? 
         if Puppet::Type.type(:ssh_authorized_key).nil?
 
           warning _("Ssh_authorized_key type is not available. Cannot purge SSH keys.")

Add Comment Add Comment
 
This message was sent by Atlassian Jira (v8.13.2#813002-sha1:c495a97)
Atlassian logo

Josh Cooper (Jira)

unread,
Jun 29, 2021, 11:00:07 AM6/29/21
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-11131
 
Re: Puppet type 'user' does not honor 'purge_ssh_keys: false'

Christoph Bihler the error message means the https://forge.puppet.com/modules/puppetlabs/sshkeys_core module is not installed. Based on the file path /opt/puppetlabs/puppet/lib64/ruby/vendor_ruby/puppet/type/user.rb it appears you're not running for puppet-agent packages built by Puppet.

Christoph Bihler (Jira)

unread,
Jun 29, 2021, 12:52:02 PM6/29/21
to puppe...@googlegroups.com

Josh Cooper that's correct, we're packaging ourselves based on puppet opensource version (and haven't changed our specfiles from 6.22→6.23, so that's something new).

basically we:

  • take source from https://downloads.puppetlabs.com/puppet/puppet-<version>.tar.gz
  • add:
    • Facter
    • Hiera
    • Ruby Augeas
    • Ruby Shadow
  • add ruby gems:
    • Concurrent Ruby
    • Deep Merge
    • Fast Gettext
    • Hiera eYAML
    • Highline
    • Hocon
    • HTTP Client
    • Locale
    • Multi JSON
    • Puppet Resource API
    • Semantic Puppet
    • Trollop

These are mostly the dependencies listed here: https://github.com/puppetlabs/puppet/blob/main/.gemspec#L34-L42
If there are some (external) module dependencies to make puppet (agent) run, they should be listed somewhere, or am I missing something?

Especially, it feels strange for me that a module is required if I explicitly tell the code not to use it
(therefore the patch)

Josh Cooper (Jira)

unread,
Jun 29, 2021, 1:43:02 PM6/29/21
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-11131

If you remove the purge_ssh_keys parameter, then it should work as expected, since the default is to not purge. That said, I agree short-circuiting when it's set to :false makes sense, though I find double negatives confusing, so maybe:

if !self[:purge_ssh_keys].empty? && self[:purge_ssh_keys] != :false}}

Note in general we don't fix bugs or implement features for third-party packages of puppet. But if you'd like to submit a pull request, we'd gladly accept.

Christoph Bihler (Jira)

unread,
Jul 1, 2021, 6:13:01 AM7/1/21
to puppe...@googlegroups.com

I create a pull request

site note: in the CONTRIBUTING.md you reference a "Contributor License Agreement" but trying to sign this leads to a 404

Josh Cooper (Jira)

unread,
Jul 1, 2021, 3:11:02 PM7/1/21
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-11131

Josh Cooper (Jira)

unread,
Jul 1, 2021, 3:12:01 PM7/1/21
to puppe...@googlegroups.com
Josh Cooper updated an issue
 
Change By: Josh Cooper
Release Notes: Bug Fix
Release Notes Summary: Puppet no longer emits a warning if the "purge_ssh_keys" parameter for the "user" type is set to false (the default) and the "sshkeys_core" module is not installed.

Josh Cooper (Jira)

unread,
Jul 1, 2021, 3:13:02 PM7/1/21
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Fix Version/s: PUP 7.9.0

Josh Cooper (Jira)

unread,
Jul 1, 2021, 3:13:03 PM7/1/21
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Community Contributors: https://github.com/Lightning-

Josh Cooper (Jira)

unread,
Jul 2, 2021, 12:23:02 PM7/2/21
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-11131

Claire Cadman (Jira)

unread,
Jul 13, 2021, 8:20:03 AM7/13/21
to puppe...@googlegroups.com
Claire Cadman updated an issue
 
Change By: Claire Cadman
Labels: doc-reviewed
Reply all
Reply to author
Forward
0 new messages